From 21d379267d2c1fd040ac3757d21dff14d3c18c51 Mon Sep 17 00:00:00 2001 From: Alex Hung Date: Tue, 9 May 2023 14:33:33 -0700 Subject: [PATCH 1/2] Update README with new checksum verification steps --- README.md | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 02a6e5a..9102971 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ vault write -f artifactory/config/admin ### Using pre-built releases -You can find pre-built releases of the plugin [here][artreleases]. Once you have downloaded the latest archive corresponding to your target OS, unzip it to retrieve the `artifactory-secrets-plugin` binary file. +You can find pre-built releases of the plugin [here][artreleases] and download the latest binary file corresponding to your target OS. ### From Sources @@ -129,10 +129,11 @@ vault plugin register \ secret artifactory ``` -* NOTE: you may need to also add arguments to the registration like `-args="-ca-cert ca.pem` or something insecure like: `-args="-tls-skip-verify"` depending on your environment. (see `./path/to/plugins/artifactory -help` for all the options) +> **Note** +> you may need to also add arguments to the registration like `-args="-ca-cert ca.pem` or something insecure like: `-args="-tls-skip-verify"` depending on your environment. (see `./path/to/plugins/artifactory -help` for all the options) > **Note** -> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. At minimum, you should use the checksum provided as [part of the release](https://github.com/jfrog/artifactory-secrets-plugin/releases). +> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. Instead you should use the checksum provided as [part of the release](https://github.com/jfrog/artifactory-secrets-plugin/releases). See [How to verify binary checksums](#how-to-verify-binary-checksums) section. You can now enable the Artifactory secrets plugin: @@ -140,6 +141,31 @@ You can now enable the Artifactory secrets plugin: vault secrets enable artifactory ``` +### How to verify binary checksums + +Checksums for each binary are provided in the `artifactory-secrets-plugin__checksums.txt` file. It is signed with the public key `artifactory-secrets-plugin-public-key.asc` which creates the signature file `artifactory-secrets-plugin__checksums.txt.sig`. + +If the public key is not in your GPG keychain, import it: +```sh +gpg --import artifactory-secrets-plugin-public-key.asc +``` + +Then verify the checksums file signature: + +```sh +gpg --verify artifactory-secrets-plugin__checksums.txt.sig +``` + +You should see something like the following: +```sh +gpg: assuming signed data in 'artifactory-secrets-plugin_0.2.17_checksums.txt' +gpg: Signature made Mon May 8 14:22:12 2023 PDT +gpg: using RSA key ED4FF1CD6C2318B470A33A1659FE1520A4A355CD +gpg: Good signature from "Alex Hung " [ultimate] +``` + +With the checksums file verified, you can now safely use the SHA256 checkum inside as part of the Vault plugin registration (vs calling `sha256sum`). + ### Artifactory 1. Log into the Artifactory UI as an "admin". From 39c9730c9337932dbfcf2c78508ea7638564185e Mon Sep 17 00:00:00 2001 From: Alex Hung Date: Tue, 9 May 2023 14:34:45 -0700 Subject: [PATCH 2/2] Update CHANGELOG --- CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86c8e4a..7f0fd5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +## 0.3.0 (May 10, 2023) + +IMPROVEMENTS: +- Update release process to publish the binaries directly (without zipping). The checksums file now contain checksums for the binaries (vs the zip file). Issue: [#81](https://github.com/jfrog/artifactory-secrets-plugin/issues/81) PR: [#99](https://github.com/jfrog/artifactory-secrets-plugin/pull/99) + ## 0.2.17 (April 25, 2023) IMPROVEMENTS: @@ -57,13 +62,13 @@ IMPROVEMENTS: - Switch to using POSTing JSON (instead of form) when creating token. - `expires_in` and `force_revocable` fields are now opt-in. -Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/pull/50) PR: [#52](https://github.com/jfrog/artifactory-secrets-plugin/pull/52) +Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/issues/50) PR: [#52](https://github.com/jfrog/artifactory-secrets-plugin/pull/52) ## 0.2.10 (March 13, 2023) BUG FIXES: -- Temporarily disable `force_revocable` due to revoke token failing. Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/pull/50) PR: [#51](https://github.com/jfrog/artifactory-secrets-plugin/pull/51) +- Temporarily disable `force_revocable` due to revoke token failing. Issue: [#50](https://github.com/jfrog/artifactory-secrets-plugin/issues/50) PR: [#51](https://github.com/jfrog/artifactory-secrets-plugin/pull/51) ## 0.2.9 (March 13, 2023)